cookie and session

[clausowitz]

Hi All,

 

I have a secure website which always checks the cookies is not expired and the session id is set.

When someone doesn't browse for the period of the cookie it will expire however the session id stays valid

until he logout. A lot of people don't logout so the pages will still be accessable for them or others who use

their pc.

 

Is there a way to destroy the session id when the cookies expires?

 

Marco

[floridaflatlander]

I think you can set your session cookie to expire just like a cookie.

 

setcookie('PHPSESSID(or whatever the cookie name is)', and then the other cookie info'');

 

 

[ManiacDan]

Don't use setcookie, used the built-in cookie management functions

[clausowitz]

This is what happens if someone logout like he should:

 

$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie
if (isset($_COOKIE['idCookie'])) {
    setcookie("idCookie", '', time()-42000, '/');
setcookie("passCookie", '', time()-42000, '/');
}

// Destroy the session variables
session_unset();
session_destroy();

 

How could I use the cookie functions to unset the session?

[ManiacDan]

You don't use the cookie functions to unset the session, you use the cookie function to set a timeout on the session cookie when the users first visit the site.  Wherever you call session_start, set a timeout on the session cookie so if the user leaves their browser idle for more than X minutes, the cookie disappears.

 

-Dan

[clausowitz]

Like this?

// Create session var for their raw id
				$id = $row["id"];   
				$_SESSION['id'] = $id;
				// Create the idx session var
				$_SESSION['idx'] = base64_encode("g4p3h9xfn8sq03hs2234$id");
				setcookie("idx",$id,time()+$lifetime);
				// Create session var for their username
				$username = $row["username"];
				$_SESSION['username'] = $username;
				// Create session var for their email
				$useremail = $row["email"];
				$_SESSION['useremail'] = $useremail;
				// Create session var for their password
				$userpass = $row["password"];
				$_SESSION['userpass'] = $userpass;
				// GET USER IP ADDRESS

[ManiacDan]

That link I posted goes to the session_set_cookie_params() function manual page.  If you don't use that function in your code, then no...not like that.

[clausowitz]

Dan,

 

could you give me an example please, I am rather new to this.

 

Marco

[ManiacDan]

session_set_cookie_params(7200);
session_start();

Just like that.  That will expire the session after 2 hours of inactivity.  That comes right from the manual page.

[clausowitz]

I put this code first thing in the login page but after 5 minutes I can still browse the site.

session_set_cookie_params(200);
session_start();

[ManiacDan]

Are you actively browsing the site?  Cookies are reset upon every page execution.

[clausowitz]

Well I had to try if I was still logged in, so yes I tried one page.

How else should it work? If anyone can just after the expiring click a link and the session is reset?

[ManiacDan]

The session cookie will be reset for X seconds with every page click, where X is the argument you provide to that function.

 

If someone clicks before X seconds have elapsed, then the timer is reset.

 

If nothing happens (not even ajax calls) for X seconds, the cookie SHOULD disappear from your browser and the session will expire.

 

If you have anything else that restores the session (like your userID cookies) that invalidates this whole discussion.

[clausowitz]

according to the page you directed me to it will only have effect on cookies which were set by PHP

not those who are set with setcookie....

[ManiacDan]

The session works off a cookie called PHPSESSID.  That is the cookie controlled by session_set_cookie_params()